Configuring TLS in Elasticsearch

Transport Layer Security (TLS) is an essential feature for securing communication in Elasticsearch. By encrypting data in transit, TLS helps protect sensitive information from interception and tampering. This article will guide you through configuring TLS in Elasticsearch, complete with examples and outputs, presented in an easy-to-understand and beginner-friendly manner.

Introduction to TLS in Elasticsearch

TLS is a cryptographic protocol designed to provide secure communication over a computer network. In Elasticsearch, TLS can be used to encrypt communication between nodes, between Elasticsearch and clients, and between Elasticsearch and Kibana. Setting up TLS ensures that your data remains private and secure.

Prerequisites

Before configuring TLS in Elasticsearch, ensure you have the following:

• Elasticsearch is installed and running.
• A basic understanding of Elasticsearch and its configuration files.
• OpenSSL is installed for generating certificates.

Generating Certificates

Elasticsearch requires certificates to enable TLS. You can generate these certificates using OpenSSL or the Elasticsearch Certutil tool. For simplicity, we'll use the Elasticsearch Certutil tool.

Step 1: Generate a Certificate Authority (CA)

First, create a Certificate Authority (CA) that will sign the certificates for your nodes.

bin/elasticsearch-certutil ca

This command will prompt you to enter a file name for the CA. For example, elastic-stack-ca.p12.

Step 2: Generate Node Certificates

Next, generate the certificates for your Elasticsearch nodes using the CA created in the previous step.

bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

This command will prompt you to enter a file name for the node certificates. For example, elastic-certificates.p12.

Step 3: Distribute Certificates

Distribute the generated elastic-certificates.p12 file to all your Elasticsearch nodes. This file contains the certificates needed to enable TLS.

Configuring Elasticsearch for TLS

Step 1: Update Elasticsearch Configuration

Open the elasticsearch.yml configuration file on each node and add the following settings:

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /path/to/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /path/to/elastic-certificates.p12

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /path/to/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: /path/to/elastic-certificates.p12

Replace /path/to/elastic-certificates.p12 with the actual path to your certificate file.

Step 2: Restart Elasticsearch

Restart each Elasticsearch node to apply the new configuration:

bin/elasticsearch

Verifying the TLS Configuration

To verify that TLS is correctly configured, you can use curl to make an HTTPS request to your Elasticsearch cluster.

Example Request

curl --cacert /path/to/elastic-stack-ca.crt -u elastic:password https://localhost:9200

If TLS is configured correctly, you should see a response from Elasticsearch similar to the following:

{
 "name" : "node-1",
 "cluster_name" : "my-cluster",
 "cluster_uuid" : "abcd1234",
 "version" : {
 "number" : "7.10.0",
 "build_flavor" : "default",
 "build_type" : "tar",
 "build_hash" : "abcdefg",
 "build_date" : "2020-11-10T22:14:56.825533Z",
 "build_snapshot" : false,
 "lucene_version" : "8.7.0",
 "minimum_wire_compatibility_version" : "6.8.0",
 "minimum_index_compatibility_version" : "6.0.0-beta1"
 },
 "tagline" : "You Know, for Search"
}

Configuring Kibana for TLS

If you are using Kibana with Elasticsearch, you need to configure Kibana to communicate with Elasticsearch over HTTPS.

Step 1: Update Kibana Configuration

Open the kibana.yml configuration file and add the following settings:

elasticsearch.hosts: ["https://localhost:9200"]
elasticsearch.ssl.certificateAuthorities: ["/path/to/elastic-stack-ca.crt"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "password"

server.ssl.enabled: true
server.ssl.certificate: /path/to/kibana.crt
server.ssl.key: /path/to/kibana.key

Step 2: Restart Kibana

Restart Kibana to apply the new configuration:

bin/kibana

Testing the Configuration

To test the TLS configuration between Kibana and Elasticsearch, open Kibana in your browser using the HTTPS protocol:

https://localhost:5601

You should see the Kibana login page. Log in using the Kibana system user credentials.

Common Issues and Troubleshooting

Issue: Certificate Verification Failed

If you encounter a certificate verification error, ensure that the certificate paths are correct and that the certificates are valid. You can use the following OpenSSL command to check the certificate:

openssl x509 -in /path/to/elastic-stack-ca.crt -text -noout

Issue: Elasticsearch Fails to Start

If Elasticsearch fails to start after configuring TLS, check the Elasticsearch logs for error messages related to SSL configuration. Common issues include incorrect paths to certificate files or missing configuration settings.

Issue: Curl Command Fails with SSL Error

If the curl command fails with an SSL error, ensure that you are using the correct CA certificate and that the Elasticsearch node is accessible over HTTPS.

Conclusion

Configuring TLS in Elasticsearch is a crucial step in securing your data and ensuring secure communication between nodes and clients. By following this guide, you can set up TLS in Elasticsearch, generate the necessary certificates, and configure both Elasticsearch and Kibana to use TLS.

This guide covered generating certificates, configuring Elasticsearch and Kibana for TLS, verifying the configuration, and troubleshooting common issues. By implementing TLS, you enhance the security of your Elasticsearch deployment, protecting your data from unauthorized access and ensuring secure communication within your cluster.